08/30/2017

Hacking Healthcare: The HHS "Wall of Shame" and Cybersecurity

by Geoff Bibby

Since 2009, the Department of Health and Human Services has featured a “Wall of Shame” — a listing of health data breaches that have affected more than 500 patients nationwide. The “wall’s” intention was to allow individuals to better understand whether they were the victims of a breach. The “wall” also provided motivation by generating bad publicity to “shame” healthcare organizations into improving data security. But is that an effective cybersecurity strategy?

The “wall” has been criticized for being unfair and a source of long-term embarrassment for organizations. Others have complained that the site is misleading and obscures the good-faith efforts of organizations trying to navigate a complex cybersecurity landscape.

Recent changes have focused users on only the most recent or most significant data breaches. Defenders of the “wall” believe this step solves the reputation problem, while detractors claim it only obscures the issue of accountability. Though this debate is still being waged, the larger question of how exactly to protect some of our most sensitive data from hackers is the much bigger issue.

How Empathetic Should We Be About These Breaches?

Organizations of all types are subject to immense public scorn after a cyberattack. They typically hang their heads, reluctantly reveal stats or figures, and then emphatically promise to bolster safety and recommit to better protecting patients. Given the rise in attacks and their frequency these days, this cycle has almost become a cliché. Neither is it an effective way to get serious about data security.

In spite of the “Wall of Shame,” widespread media coverage, and the fact that the HHS has been publicizing the names of offenders, the healthcare industry was ranked No. 5 on a list of vulnerable sectors in a study by IBM. That study also found that 71 percent of those breaches were insider breaches — ones that were largely inadvertent, like mistakenly emailing unsecure protected health information or falling for phishing scams.

The reality is that securing healthcare environments is an incredibly complex process: Almost every piece of information can be classified as sensitive and protected under regulations; electronic medical records have exponentially increased the volume of data; and, most recently, untested and poorly secured connected devices are flooding the healthcare system.

That threat landscape is further compounded by the Internet of Things. While simultaneously promising to revolutionize healthcare, the IoT also puts the whole system at greater risk. The ubiquity of wearable and injectable devices that improve people’s quality of life every day are also opening them up to vulnerabilities associated with hacking.

Making Cybersecurity a Priority in Healthcare

The balance between understanding these challenges and a need for better security is a delicate one. Holding organizations accountable also requires empathy for the uphill battle they face. And when it comes to healthcare, that battle is a big one. As organizations focus on improving care and lowering costs, they struggle to find the necessary resources for comprehensive cybersecurity, not the least of which because of the many concerns they must juggle at the same time. For that reason, too, it’s hard to recommend any one-size-fits-all solution.

Rather than pointing fingers and laying blame, though, we should search collectively for solutions to problems that affect us all. That’s why we recommend a strategy that is more all-encompassing than niche-oriented. A rigorous commitment to good governance and a systematic approach to expose every potential vulnerability, exploit, or threat vector will enable the necessary plans, protections, and contingencies to be devised and put in place. As part of good governance, organizations can also investigate the advantages of new technologies in the cloud and address the main avenues of risk like email inboxes.

Ultimately, making cybersecurity a priority at every level of an organization is most important. This allows it to respond to the threats of today and anticipate the more advanced threats of tomorrow. Regardless of how public, popular, or prolific the “Wall of Shame” becomes, keeping hackers out of healthcare will always be the end goal.